You can configure Okta as your identity provider (IDP) for enterprise logins in ArcGIS Online. The configuration process involves two main steps: registering your enterprise IDP with ArcGIS Online and registering ArcGIS Online with the enterprise IDP.
ArcGIS Online requires certain attribute information to be received from the IDP when a user signs in using enterprise logins. The NameID attribute is mandatory and must be sent by your IDP in the SAML response to make the federation with ArcGIS Online work. Since ArcGIS Online uses the value of NameID to uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from the IDP signs in, a new user with the user name NameID_<url_key_for_org> will be created by ArcGIS Online in its user store. The allowed characters for the value sent by NameID are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Online.
ArcGIS Online supports inflow of the givenName and email address attributes of the enterprise login from the enterprise IDP. When a user signs in using an enterprise login, and if ArcGIS Online receives attributes with the names givenname and email or mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the IDP.
It's recommended that you pass in the email address from the enterprise IDP so the user can receive notifications. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization.
Register Okta as the enterprise IDP with ArcGIS Online
- Verify that you are signed in as an administrator of your organization.
- At the top of the site, click Organization and click the Settings tab.
- Click Security on the left side of the page.
- In the Enterprise Logins section, select the One identity provider option, click the Set Enterprise Login button, and enter your organization's name in the window that appears (for example, City of Redlands). When users access the organization website, this text displays as part of the SAML sign in option (for example, Using your City of Redlands account).
Selecting the One identity provider option allows you to register one enterprise IDP for your ArcGIS Online organization. If you want to authenticate users with enterprise logins from multiple IDPs, register a SAML-based federation instead of a single IDP.
- Choose whether users will be able to join the organization Automatically or Upon invitation from an administrator. Selecting the first option enables users to sign in to the organization with their enterprise login without any intervention from an administrator; their account is registered with the organization automatically the first time they sign in. The second option requires the administrator to invite the necessary users to the organization. When the user receives the invitation, they will be able to sign in to the organization.
- Provide metadata information for the IDP using one of the options below:
- File—Download or obtain a copy of the federation metadata file from Okta and upload the file to ArcGIS Online using the File option.
- Parameters—Choose this option if the URL or federation metadata file is not accessible. Enter the values manually and supply the requested parameters: the login URL and the certificate, encoded in the BASE 64 format. Contact your Okta administrator to obtain these.
- Configure the advanced settings as applicable:
- Encrypt Assertion—Select this option to encrypt the Okta SAML assertion responses.
- Enable Signed Request—Select this option to have ArcGIS Online sign the SAML authentication request sent to Okta.
- Propagate logout to Identity Provider—Select this option to have ArcGIS Online use a logout URL to sign out the user from Okta. Enter the URL to use in the Logout URL setting. If the IDP requires the logout URL to be signed, Enable Signed Request needs to be checked.
- Update profiles on sign in—Select this option to automatically synchronize account information (full name and email address) stored in ArcGIS Online user profiles with the latest account information received from the IDP. Checking this box allows your organization to verify, when a user signs in with an enterprise login, whether the IDP information has changed since the account was first created and if so, to update the user's ArcGIS Online account profile accordingly.
- Enable SAML based group membership—Select this option to allow organization members to link specified SAML-based enterprise groups to ArcGIS Online groups during the group creation process.
- Logout URL—The IDP URL is used to sign out the currently signed in user.
- Entity ID—Update this value to use a new entity ID to uniquely identify your ArcGIS Online organization to Okta.
- When finished, click Update Identity Provider.
- Click Get Service Provider to download the organization's metadata file. Information in this file will be used to register the organization as the trusted service provider with Okta.
Register ArcGIS Online as the trusted service provider with Okta
- Log in to your Okta organization as a member with administrative privileges.
- On the Applications tab, click the Add Application button.
- Click Create New App and select the SAML 2.0 option. Click Create.
- In General Settings, enter an App Name for your organization deployment and click Next.
- On the Configure SAML tab, do the following:
- Enter the value for Single sign on URL, for example, https://[org name].maps.arcgis.com/sharing/rest/oauth2/saml/signin. This value can be copied from the service provider metadata file downloaded from your organization.
- Enter the value for the Audience URI. The default value is set to [org name].maps.arcgis.com. This value can be copied from the service provider metadata file downloaded from your organization.
- Leave the Name ID format as Unspecified.
- Under Advanced Settings, change the Assertion Signature option to Unsigned.
- In the Attribute Statements section, add these attribute statements:
givenName set to user.firstName + " " + user.lastName
email set to user.email
- Click Next and click Finish.
- You will now see the Sign On section of your newly created SAML application. To get the Okta IDP metadata, click the Sign On tab and click the Identity Provider metadata link.
- Right-click the People tab and configure which Okta authenticated users will have access to in your organization.